RE: asa 8.2 to 8.3 config conversion from Joseph L. Brunner on 2013-08-28 (Ccielab archives 08/2013)

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Wed, 28 Aug 2013 15:54:59 +0000

I just got my SRX240 legs as good as my ASA legs this month... pretty much planning to do the JNCIE-SEC right after the CCIE-SEC (again) LAB in a couple months...

The Juniper is looking really good right now with all these 8.x code issues :)

We are running junos-srxsme-12.1R4.7-domestic.tgz

thanks

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Jay McMickle
Sent: Wednesday, August 28, 2013 11:39 AM
To: Joe Astorino
Cc: Tauseef Khan; Ryan West; Cisco certification
Subject: Re: asa 8.2 to 8.3 config conversion

Welcome to the club, Joe. This just furthers the customer to need us as 8.3+ is equal to starting over. Once you get use to it, you'll prefer it. You just need to go through it, trial by fire. Don't be too "manly" to give TAC a call.
I feel like I'm very strong on ASA, but don't think I didn't open a ticket with the backbone TAC team in RTP proactively! I have over 3,000 nats in a very complicated environment on this pair.

Hopefully this weekend after my window of success, I'll be sipping on an adult beverage and doing a little dance. This will be our 8th pair converted, with only 46 more to be done. This one is the most difficult pair, so it's downhill from here. ;)

Cheers.

Regards,
Jay McMickle- 2x CCIE #35355 (R/S,Sec)
Sent from my iPhone 5

On Aug 28, 2013, at 10:27 AM, Joe Astorino <joeastorino1982_at_gmail.com> wrote:

> I'm doing an upgrade for a client from 8.0 to 8.3 soon. Apparently,
> the
upgrade path must go through 8.2 first. Why the customer insists on using 8.3 is beyond me, but oh well! God be with me hah
>
>
>
>
> On Wed, Aug 28, 2013 at 6:53 AM, Jay McMickle <jay.mcmickle_at_yahoo.com>
wrote:
>> That's the million dollar question that no-one ever asks. Not every
>> bug is "one size fits all".
>>
>> The bug ID is CSCue11738.
>>
>> Cheers, and good luck.
>>
>> Regards,
>> Jay McMickle- 2x CCIE #35355 (R/S,Sec) Sent from my iPhone 5
>>
>> On Aug 28, 2013, at 5:40 AM, Tauseef Khan <tasneemjan_at_googlemail.com>
wrote:
>>
>> > yes that's fine Jay, We are going to go for this asa846-smp-k8.bin
>> > on
>> 5585-xssp40s. mine migration is from fwsm 3.2(13) so i need to
>> convert
the
>> config manually.
>> > did you get the bug id for 8.4.5?
>> >
>> > Kind regards
>> >
>> > Tauseef
>> > mobile: +44 7837209187
>> >
>> >
>> > On 28 August 2013 01:00, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:
>> >> My two cents-
>> >> We went through an upgrade failure last weekend and re-attempting
>> >> this
>> weekend.
>> >>
>> >> We hit a bug in 8.4.5. The correct upgrade path is 8.2.5 to 8.4.6
>> >> to
>> 9.1.2.
>> >>
>> >> This pair was a 5585-20-SSP and we didn't have anything on the
>> >> shelf to
do
>> an offline upgrade. Since the 5585's were the first SMP code, they go
>> down
to
>> 8.2, but all other x series start at 8.6. So, a SMP to non-SMP was
>> needed,
but
>> then the number if interfaces became an issue. We ended up braking
>> the failover the morning of the upgrade since we only had a 15minute
>> window,
but
>> hit the bug in 8.4.5 (nat's were converted but ACL's were not). We
>> still
have
>> failover broken and we've upgraded it, waiting for our 15min outage
>> window this weekend.
>> >>
>> >> In the long run, skip 8.3 and 8.4.5. Use 8.4.6 as your interim
>> >> stop for
the
>> NAT conversion and then to 9.1.
>> >>
>> >> I hope that helps.
>> >>
>> >> Regards,
>> >> Jay McMickle- 2x CCIE #35355 (R/S,Sec) Sent from my iPhone 5
>> >>
>> >> On Aug 27, 2013, at 11:47 AM, Tauseef Khan
>> >> <tasneemjan_at_googlemail.com>
>> wrote:
>> >>
>> >> > Thanks Rayn, That's what I was looking for.
>> >> >
>> >> > Kind regards
>> >> >
>> >> > Tauseef
>> >> > mobile: +44 7837209187
>> >> >
>> >> >
>> >> > On 27 August 2013 17:24, JB Poplawski <jb.poplawski_at_gmail.com> wrote:
>> >> >
>> >> >> Throw the image and let it fly? LOL - Have TAC on the line and
ready.
>> >> >> Get a 5505 a sim it up. Better to be safe than sorry.
>> >> >>
>> >> >>
>> >> >> On Tue, Aug 27, 2013 at 8:55 AM, Ryan West <rwest_at_zyedge.com> wrote:
>> >> >>
>> >> >>> Might want to try this one -
>> >> >>>
>> >> >>> http://www.tunnelsup.com/nat-converter
>> >> >>>
>> >> >>> that should get you into 8.3+, but if you're planning on
>> >> >>> running
9.x,
>> you
>> >> >>> may want to run 8.4 first and then switch to 9.x and let any
>> >> >>> other conversions take place there.
>> >> >>>
>> >> >>> Also, if you do use the ASA to upgrade from 8.2 to 8.3 and
>> >> >>> you're
>> running
>> >> >>> any remote access VPN's, be prepared for them to break. It's
usually
>> an
>> >> >>> out of order NAT and a quick fix.
>> >> >>>
>> >> >>> -ryan
>> >> >>>
>> >> >>> -----Original Message-----
>> >> >>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
Behalf
>> Of
>> >> >>> Sadiq Yakasai
>> >> >>> Sent: Tuesday, August 27, 2013 11:24 AM
>> >> >>> To: Tauseef Khan
>> >> >>> Cc: Cisco certification
>> >> >>> Subject: Re: asa 8.2 to 8.3 config conversion
>> >> >>>
>> >> >>> Sure np.
>> >> >>>
>> >> >>> One little observation though - the FWSM does not use 8.x
>> >> >>> software release train though .... 8.x is exclusive to ASA.
>> >> >>> FWSM latest
train
>> stops
>> >> >>> on 4.x.
>> >> >>>
>> >> >>> Back to your query though; you might want to try converting
>> >> >>> FWSM->
ASA
>> pre
>> >> >>> 8.3 -> ASA 8.3+
>> >> >>>
>> >> >>> Would that work?
>> >> >>>
>> >> >>>
>> >> >>> On Tue, Aug 27, 2013 at 4:13 PM, Tauseef Khan
>> <tasneemjan_at_googlemail.com
>> >> >>>> wrote:
>> >> >>>
>> >> >>>> thanks for the help but its a FWSM to ASA migration.
>> >> >>>>
>> >> >>>> Kind regards
>> >> >>>>
>> >> >>>> Tauseef
>> >> >>>> mobile: +44 7837209187
>> >> >>>>
>> >> >>>>
>> >> >>>> On 27 August 2013 15:54, Sadiq Yakasai <sadiqtanko_at_gmail.com>
wrote:
>> >> >>>>
>> >> >>>>> You do not have to 'convert' the configuration. Just stick
>> >> >>>>> the
new
>> >> >>>>> image on the firewall(s) and boot them up. The configuration
should
>> >> >>>>> pretty much convert itself.
>> >> >>>>>
>> >> >>>>> PS: Note that NAT exemption is no more available in 8.3+ and
>> >> >>>>> is replaced by Identity NAT, so keep an eye out for that! I
>> >> >>>>> cant
think
>> >> >>>>> of anything else you should worry about at the moment.
>> >> >>>>>
>> >> >>>>> Hope that helps abit.
>> >> >>>>>
>> >> >>>>> Sadiq
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> On Tue, Aug 27, 2013 at 3:46 PM, Tauseef Khan <
>> >> >>> tasneemjan_at_googlemail.com>wrote:
>> >> >>>>>
>> >> >>>>>> Does any one know if there there a script available to
>> >> >>>>>> convert
ASA
>> >> >>>>>> 8.2 to post 8.3 configs Kind regards
>> >> >>>>>>
>> >> >>>>>> Tauseef
>> >> >>>>>> mobile: +44 7837209187
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>> Blogs and organic groups at http://www.ccie.net
>> >> >>>>>>
>> >> >>>>>>
>> ____________________________________________________________________
>> >> >>>>>> ___ Subscription information may be found at:
>> >> >>>>>> http://www.groupstudy.com/list/CCIELab.html
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> --
>> >> >>>>> CCIEx2 (R&S|Sec) #19963
>> >> >>>
>> >> >>>
>> >> >>> --
>> >> >>> CCIEx2 (R&S|Sec) #19963
>> >> >>>
>> >> >>>
>> >> >>> Blogs and organic groups at http://www.ccie.net
>> >> >>>
>> >> >>>
>> _____________________________________________________________________
>> __
>> >> >>> Subscription information may be found at:
>> >> >>> http://www.groupstudy.com/list/CCIELab.html
>> >> >>>
>> >> >>>
>> >> >>> Blogs and organic groups at http://www.ccie.net
>> >> >>>
>> >> >>>
>> _____________________________________________________________________
>> __
>> >> >>> Subscription information may be found at:
>> >> >>> http://www.groupstudy.com/list/CCIELab.html
>> >> >
>> >> >
>> >> > Blogs and organic groups at http://www.ccie.net
>> >> >
>> >> >
Received on Wed Aug 28 2013 - 15:54:59 ART

This archive was generated by hypermail 2.2.0 : Sun Sep 01 2013 - 08:35:51 ART